Skip to content

Commit

Permalink
new parsed tests with expected outputs and a fix to the func computin…
Browse files Browse the repository at this point in the history 
…g "intersection" between ANP's egress-ingress
  • Loading branch information
@shireenf-ibm
shireenf-ibm committed Oct 8, 2024
1 parent 060e428 commit 793d3cb
Show file tree
Hide file tree
Showing 11 changed files with 759 additions and 47 deletions.
616 changes: 570 additions & 46 deletions pkg/internal/testutils/parsed_resources_tests.go
View file

Large diffs are not rendered by default.

22 changes: 21 additions & 1 deletion pkg/netpol/eval/check.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -630,9 +630,29 @@ func (pe *PolicyEngine) getDefaultConns(src, dst k8s.Peer) (*k8s.PolicyConnectio

// getAdminPolicyConnFromEgressIngressConns gets egress and ingress connections between pair of peers from a single (b)anp,
// and returns the final connections between the peers from this policy's egress and ingress sections
// the main principle of this func is that: a connection is allowed iff both ingress and egress allow it (either implicitly or explicitly)
func getAdminPolicyConnFromEgressIngressConns(egressConns, ingressConns *k8s.PolicyConnections) *k8s.PolicyConnections {
egressConns.AllowedConns.Intersection(ingressConns.AllowedConns)
// by default any connection that is not captured by rules is allowed by the section
// so allowed conns are "all conns" minus (denied + passed conns)
egressNonCapturedAllowedConns := common.MakeConnectionSet(true)
egressNonCapturedAllowedConns.Subtract(egressConns.DeniedConns)
egressNonCapturedAllowedConns.Subtract(egressConns.PassConns) // egressNonCapturedAllowedConns contains all
// allowed conns by egress (captured + non-captured)
ingressNonCapturedAllowedConns := common.MakeConnectionSet(true)
ingressNonCapturedAllowedConns.Subtract(ingressConns.PassConns)
ingressNonCapturedAllowedConns.Subtract(ingressConns.DeniedConns) // ingressNonCapturedAllowedConns contains all the
// allowed connections by ingress (captured + non-captured)

// captured allowed conns by policy is intersection of captured allowed and non-captured allowed between the two directions
// egress captured allowed is:
(egressConns.AllowedConns).Intersection(ingressNonCapturedAllowedConns)
// ingress captured is :
(ingressConns.AllowedConns).Intersection(egressNonCapturedAllowedConns)
// final result - storing it in egressConns :
egressConns.AllowedConns.Union(ingressConns.AllowedConns)
egressConns.DeniedConns.Union(ingressConns.DeniedConns)
egressConns.PassConns.Union(ingressConns.PassConns)
// remove denied conns from pass (if a connection is denied it can not be passed forward)
egressConns.PassConns.Subtract(egressConns.DeniedConns)
return egressConns // stored final result in egressConns
}
20 changes: 20 additions & 0 deletions test_outputs/connlist/test11_anp_banp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : All Connections
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : All Connections
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => y/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => y/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
20 changes: 20 additions & 0 deletions test_outputs/connlist/test12_anp_banp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => y/b[Pod] : All Connections
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => y/a[Pod] : All Connections
16 changes: 16 additions & 0 deletions test_outputs/connlist/test13_anp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : TCP 80
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : TCP 80
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => y/b[Pod] : UDP 80
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => y/a[Pod] : UDP 80
20 changes: 20 additions & 0 deletions test_outputs/connlist/test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : All Connections
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : All Connections
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535
y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535
y/a[Pod] => y/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535
y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535
y/b[Pod] => y/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
16 changes: 16 additions & 0 deletions test_outputs/connlist/test1_anp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : TCP 80
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : TCP 80
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => y/b[Pod] : UDP 80
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => y/a[Pod] : UDP 80
20 changes: 20 additions & 0 deletions test_outputs/connlist/test2_anp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : All Connections
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : All Connections
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => x/a[Pod] : All Connections
y/a[Pod] => x/b[Pod] : All Connections
y/a[Pod] => y/b[Pod] : All Connections
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => x/a[Pod] : All Connections
y/b[Pod] => x/b[Pod] : All Connections
y/b[Pod] => y/a[Pod] : All Connections
16 changes: 16 additions & 0 deletions test_outputs/connlist/test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : All Connections
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : All Connections
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => y/b[Pod] : UDP 80
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => y/a[Pod] : UDP 80
20 changes: 20 additions & 0 deletions test_outputs/connlist/test4_anp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => y/b[Pod] : All Connections
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => y/a[Pod] : All Connections
20 changes: 20 additions & 0 deletions test_outputs/connlist/test6_anp_unmatched_ingress_egress_from_parsed_res.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections
0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections
x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/a[Pod] => x/b[Pod] : All Connections
x/a[Pod] => y/a[Pod] : All Connections
x/a[Pod] => y/b[Pod] : All Connections
x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
x/b[Pod] => x/a[Pod] : All Connections
x/b[Pod] => y/a[Pod] : All Connections
x/b[Pod] => y/b[Pod] : All Connections
y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/a[Pod] => y/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections
y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535
y/b[Pod] => y/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535

0 comments on commit 793d3cb

Please sign in to comment.